@stackframe/stack 2.4.17 → 2.4.20

package/dist/esm/lib/stack-app.js

@@ -6,21 +6,23 @@ import { StackAssertionError, throwErr } from "@stackframe/stack-shared/dist/uti
 import { generateUuid } from "@stackframe/stack-shared/dist/utils/uuids";
 import { AsyncResult, Result } from "@stackframe/stack-shared/dist/utils/results";
 import { suspendIfSsr } from "@stackframe/stack-shared/dist/utils/react";
-import { AsyncStore } from "@stackframe/stack-shared/dist/utils/stores";
+import { Store } from "@stackframe/stack-shared/dist/utils/stores";
 import { getProductionModeErrors } from "@stackframe/stack-shared/dist/interface/clientInterface";
-import { isClient } from "../utils/next";
+import { isBrowserLike } from "@stackframe/stack-shared/src/utils/env";
 import { callOAuthCallback, signInWithOAuth } from "./auth";
 import * as NextNavigationUnscrambled from "next/navigation";
 import { constructRedirectUrl } from "../utils/url";
-import { filterUndefined, omit } from "@stackframe/stack-shared/dist/utils/objects";
+import { deepPlainEquals, filterUndefined, omit } from "@stackframe/stack-shared/dist/utils/objects";
 import { resolved, runAsynchronously, wait } from "@stackframe/stack-shared/dist/utils/promises";
 import { AsyncCache } from "@stackframe/stack-shared/dist/utils/caches";
 import { suspend } from "@stackframe/stack-shared/dist/utils/react";
 import { scrambleDuringCompileTime } from "@stackframe/stack-shared/dist/utils/compile-time";
 import { isReactServer } from "@stackframe/stack-sc";
 import * as cookie from "cookie";
+import { InternalSession } from "@stackframe/stack-shared/dist/sessions";
+import { useTrigger } from "@stackframe/stack-shared/dist/hooks/use-trigger";
 var NextNavigation = scrambleDuringCompileTime(NextNavigationUnscrambled);
-var clientVersion = "js @stackframe/stack@2.4.17";
+var clientVersion = "js @stackframe/stack@2.4.20";
 function permissionDefinitionScopeToType(scope) {
   return { "any-team": "team", "specific-team": "team", "global": "global" }[scope.type];
 }
@@ -61,45 +63,13 @@ function getDefaultBaseUrl() {
 }
 var defaultBaseUrl = "https://app.stack-auth.com";
 function createEmptyTokenStore() {
-  return new AsyncStore({
+  return new Store({
     refreshToken: null,
     accessToken: null
   });
 }
-var cookieTokenStore = null;
-var cookieTokenStoreInitializer = () => {
-  if (!isClient()) {
-    throw new Error("Cannot use cookie token store on the server!");
-  }
-  if (cookieTokenStore === null) {
-    cookieTokenStore = new AsyncStore();
-    let hasSucceededInWriting = true;
-    setInterval(() => {
-      if (hasSucceededInWriting) {
-        const newValue = {
-          refreshToken: getCookie("stack-refresh"),
-          accessToken: getCookie("stack-access")
-        };
-        const res = cookieTokenStore.get();
-        if (res.status !== "ok" || res.data.refreshToken !== newValue.refreshToken || res.data.accessToken !== newValue.accessToken) {
-          cookieTokenStore.set(newValue);
-        }
-      }
-    }, 10);
-    cookieTokenStore.onChange((value) => {
-      try {
-        setOrDeleteCookie("stack-refresh", value.refreshToken, { maxAge: 60 * 60 * 24 * 365 });
-        setOrDeleteCookie("stack-access", value.accessToken, { maxAge: 60 * 60 * 24 });
-        hasSucceededInWriting = true;
-      } catch (e) {
-        hasSucceededInWriting = false;
-      }
-    });
-  }
-  return cookieTokenStore;
-};
 var loadingSentinel = Symbol("stackAppCacheLoadingSentinel");
-function useCache(cache, dependencies, caller) {
+function useAsyncCache(cache, dependencies, caller) {
   suspendIfSsr(caller);
   const subscribe = useCallback((cb) => {
     const { unsubscribe } = cache.onChange(dependencies, () => cb());
@@ -123,17 +93,13 @@ var createCache = (fetcher) => {
     {}
   );
 };
-var createCacheByTokenStore = (fetcher) => {
+var createCacheBySession = (fetcher) => {
   return new AsyncCache(
-    async ([tokenStore, ...extraDependencies]) => await fetcher(tokenStore, extraDependencies),
+    async ([session, ...extraDependencies]) => await fetcher(session, extraDependencies),
     {
-      onSubscribe: ([tokenStore], refresh) => {
-        const handlerObj = tokenStore.onChange((newValue, oldValue) => {
-          if (newValue.refreshToken === oldValue?.refreshToken)
-            return;
-          refresh();
-        });
-        return () => handlerObj.unsubscribe();
+      onSubscribe: ([session], refresh) => {
+        const handler = session.onInvalidate(() => refresh());
+        return () => handler.unsubscribe();
       }
     }
   );
@@ -160,7 +126,7 @@ var _StackClientAppImpl = class __StackClientAppImpl {
     }
     numberOfAppsCreated++;
     if (numberOfAppsCreated > 10) {
-      console.warn(`You have created more than 10 Stack apps (${numberOfAppsCreated}). This is usually a sign of a memory leak. Make sure to minimize the number of Stack apps per page (usually, one per project).`);
+      (process.env.NODE_ENV === "development" ? console.log : console.warn)(`You have created more than 10 Stack apps (${numberOfAppsCreated}). This is usually a sign of a memory leak, but can sometimes be caused by hot reload of your tech stack. In production, make sure to minimize the number of Stack apps per page (usually, one per project).`);
     }
   }
   _uniqueIdentifier = void 0;
@@ -168,24 +134,24 @@ var _StackClientAppImpl = class __StackClientAppImpl {
   _tokenStoreInit;
   _urlOptions;
   __DEMO_ENABLE_SLIGHT_FETCH_DELAY = false;
-  _currentUserCache = createCacheByTokenStore(async (tokenStore) => {
+  _currentUserCache = createCacheBySession(async (session) => {
     if (this.__DEMO_ENABLE_SLIGHT_FETCH_DELAY) {
       await wait(2e3);
     }
-    const user = await this._interface.getClientUserByToken(tokenStore);
+    const user = await this._interface.getClientUserByToken(session);
     return Result.or(user, null);
   });
   _currentProjectCache = createCache(async () => {
     return Result.orThrow(await this._interface.getClientProject());
   });
-  _ownedProjectsCache = createCacheByTokenStore(async (tokenStore) => {
-    return await this._interface.listProjects(tokenStore);
+  _ownedProjectsCache = createCacheBySession(async (session) => {
+    return await this._interface.listProjects(session);
   });
-  _currentUserPermissionsCache = createCacheByTokenStore(async (tokenStore, [teamId, type, direct]) => {
-    return await this._interface.listClientUserTeamPermissions({ teamId, type, direct }, tokenStore);
+  _currentUserPermissionsCache = createCacheBySession(async (session, [teamId, type, direct]) => {
+    return await this._interface.listClientUserTeamPermissions({ teamId, type, direct }, session);
   });
-  _currentUserTeamsCache = createCacheByTokenStore(async (tokenStore) => {
-    return await this._interface.listClientUserTeams(tokenStore);
+  _currentUserTeamsCache = createCacheBySession(async (session) => {
+    return await this._interface.listClientUserTeams(session);
   });
   _initUniqueIdentifier() {
     if (!this._uniqueIdentifier) {
@@ -208,26 +174,73 @@ var _StackClientAppImpl = class __StackClientAppImpl {
     return this._uniqueIdentifier;
   }
   _memoryTokenStore = createEmptyTokenStore();
-  _requestTokenStores = /* @__PURE__ */ new Map();
-  _getTokenStore(overrideTokenStoreInit) {
+  _requestTokenStores = /* @__PURE__ */ new WeakMap();
+  _storedCookieTokenStore = null;
+  get _refreshTokenCookieName() {
+    return `stack-refresh-${this.projectId}`;
+  }
+  get _accessTokenCookieName() {
+    return `stack-access`;
+  }
+  _getCookieTokenStore() {
+    if (!isBrowserLike()) {
+      throw new Error("Cannot use cookie token store on the server!");
+    }
+    if (this._storedCookieTokenStore === null) {
+      const getCurrentValue = (old) => ({
+        refreshToken: getCookie(this._refreshTokenCookieName) ?? getCookie("stack-refresh"),
+        // keep old cookie name for backwards-compatibility
+        // if there is an access token in memory already, don't update the access token based on cookies (access token
+        // cookies may be set by another project on the same domain)
+        // see the comment in _accessTokenCookieName for more information
+        accessToken: old === null ? getCookie(this._accessTokenCookieName) : old.accessToken
+      });
+      this._storedCookieTokenStore = new Store(getCurrentValue(null));
+      let hasSucceededInWriting = true;
+      setInterval(() => {
+        if (hasSucceededInWriting) {
+          const oldValue = this._storedCookieTokenStore.get();
+          const currentValue = getCurrentValue(oldValue);
+          if (!deepPlainEquals(currentValue, oldValue)) {
+            this._storedCookieTokenStore.set(currentValue);
+          }
+        }
+      }, 100);
+      this._storedCookieTokenStore.onChange((value) => {
+        try {
+          setOrDeleteCookie(this._refreshTokenCookieName, value.refreshToken, { maxAge: 60 * 60 * 24 * 365 });
+          setOrDeleteCookie(this._accessTokenCookieName, value.accessToken, { maxAge: 60 * 60 * 24 });
+          hasSucceededInWriting = true;
+        } catch (e) {
+          if (!isBrowserLike()) {
+            hasSucceededInWriting = false;
+          } else {
+            throw e;
+          }
+        }
+      });
+    }
+    return this._storedCookieTokenStore;
+  }
+  _getOrCreateTokenStore(overrideTokenStoreInit) {
     const tokenStoreInit = overrideTokenStoreInit === void 0 ? this._tokenStoreInit : overrideTokenStoreInit;
     switch (tokenStoreInit) {
       case "cookie": {
-        return cookieTokenStoreInitializer();
+        return this._getCookieTokenStore();
       }
       case "nextjs-cookie": {
-        if (isClient()) {
-          return cookieTokenStoreInitializer();
+        if (isBrowserLike()) {
+          return this._getCookieTokenStore();
         } else {
-          const store = new AsyncStore();
-          store.set({
-            refreshToken: getCookie("stack-refresh"),
-            accessToken: getCookie("stack-access")
+          const store = new Store({
+            refreshToken: getCookie(this._refreshTokenCookieName) ?? getCookie("stack-refresh"),
+            // keep old cookie name for backwards-compatibility
+            accessToken: getCookie(this._accessTokenCookieName)
           });
           store.onChange((value) => {
             try {
-              setOrDeleteCookie("stack-refresh", value.refreshToken, { maxAge: 60 * 60 * 24 * 365 });
-              setOrDeleteCookie("stack-access", value.accessToken, { maxAge: 60 * 60 * 24 });
+              setOrDeleteCookie(this._refreshTokenCookieName, value.refreshToken, { maxAge: 60 * 60 * 24 * 365 });
+              setOrDeleteCookie(this._accessTokenCookieName, value.accessToken, { maxAge: 60 * 60 * 24 });
             } catch (e) {
             }
           });
@@ -237,26 +250,102 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       case "memory": {
         return this._memoryTokenStore;
       }
-      case null: {
-        return createEmptyTokenStore();
-      }
       default: {
-        if (tokenStoreInit && typeof tokenStoreInit === "object" && "headers" in tokenStoreInit) {
+        if (tokenStoreInit === null) {
+          return createEmptyTokenStore();
+        } else if (typeof tokenStoreInit === "object" && "headers" in tokenStoreInit) {
           if (this._requestTokenStores.has(tokenStoreInit))
             return this._requestTokenStores.get(tokenStoreInit);
+          const stackAuthHeader = tokenStoreInit.headers.get("x-stack-auth");
+          if (stackAuthHeader) {
+            let parsed2;
+            try {
+              parsed2 = JSON.parse(stackAuthHeader);
+              if (typeof parsed2 !== "object")
+                throw new Error("x-stack-auth header must be a JSON object");
+              if (parsed2 === null)
+                throw new Error("x-stack-auth header must not be null");
+            } catch (e) {
+              throw new Error(`Invalid x-stack-auth header: ${stackAuthHeader}`, { cause: e });
+            }
+            return this._getOrCreateTokenStore({
+              accessToken: parsed2.accessToken ?? null,
+              refreshToken: parsed2.refreshToken ?? null
+            });
+          }
           const cookieHeader = tokenStoreInit.headers.get("cookie");
           const parsed = cookie.parse(cookieHeader || "");
-          const res = new AsyncStore({
-            refreshToken: parsed["stack-refresh"] || null,
-            accessToken: parsed["stack-access"] || null
+          const res = new Store({
+            refreshToken: parsed[this._refreshTokenCookieName] || parsed["stack-refresh"] || null,
+            // keep old cookie name for backwards-compatibility
+            accessToken: parsed[this._accessTokenCookieName] || null
           });
           this._requestTokenStores.set(tokenStoreInit, res);
           return res;
+        } else if ("accessToken" in tokenStoreInit || "refreshToken" in tokenStoreInit) {
+          return new Store({
+            refreshToken: tokenStoreInit.refreshToken,
+            accessToken: tokenStoreInit.accessToken
+          });
         }
         throw new Error(`Invalid token store ${tokenStoreInit}`);
       }
     }
   }
+  /**
+   * A map from token stores and session keys to sessions.
+   * 
+   * This isn't just a map from session keys to sessions for two reasons:
+   * 
+   * - So we can garbage-collect Session objects when the token store is garbage-collected
+   * - So different token stores are separated and don't leak information between each other, eg. if the same user sends two requests to the same server they should get a different session object
+   */
+  _sessionsByTokenStoreAndSessionKey = /* @__PURE__ */ new WeakMap();
+  _getSessionFromTokenStore(tokenStore) {
+    const tokenObj = tokenStore.get();
+    const sessionKey = InternalSession.calculateSessionKey(tokenObj);
+    const existing = sessionKey ? this._sessionsByTokenStoreAndSessionKey.get(tokenStore)?.get(sessionKey) : null;
+    if (existing)
+      return existing;
+    const session = this._interface.createSession({
+      refreshToken: tokenObj.refreshToken,
+      accessToken: tokenObj.accessToken
+    });
+    session.onAccessTokenChange((newAccessToken) => {
+      tokenStore.update((old) => ({
+        ...old,
+        accessToken: newAccessToken?.token ?? null
+      }));
+    });
+    session.onInvalidate(() => {
+      tokenStore.update((old) => ({
+        ...old,
+        accessToken: null,
+        refreshToken: null
+      }));
+    });
+    let sessionsBySessionKey = this._sessionsByTokenStoreAndSessionKey.get(tokenStore) ?? /* @__PURE__ */ new Map();
+    this._sessionsByTokenStoreAndSessionKey.set(tokenStore, sessionsBySessionKey);
+    sessionsBySessionKey.set(sessionKey, session);
+    return session;
+  }
+  _getSession(overrideTokenStoreInit) {
+    const tokenStore = this._getOrCreateTokenStore(overrideTokenStoreInit);
+    return this._getSessionFromTokenStore(tokenStore);
+  }
+  _useSession(overrideTokenStoreInit) {
+    const tokenStore = this._getOrCreateTokenStore(overrideTokenStoreInit);
+    const subscribe = useCallback((cb) => {
+      const { unsubscribe } = tokenStore.onChange(() => cb());
+      return unsubscribe;
+    }, [tokenStore]);
+    const getSnapshot = useCallback(() => this._getSessionFromTokenStore(tokenStore), [tokenStore]);
+    return React.useSyncExternalStore(subscribe, getSnapshot, getSnapshot);
+  }
+  async _signInToAccountWithTokens(tokens) {
+    const tokenStore = this._getOrCreateTokenStore();
+    tokenStore.set(tokens);
+  }
   _hasPersistentTokenStore(overrideTokenStoreInit) {
     return (overrideTokenStoreInit !== void 0 ? overrideTokenStoreInit : this._tokenStoreInit) !== null;
   }
@@ -336,24 +425,25 @@ var _StackClientAppImpl = class __StackClientAppImpl {
         });
       },
       async listTeams() {
-        const teams = await app._currentUserTeamsCache.getOrWait([app._getTokenStore()], "write-only");
+        const teams = await app._currentUserTeamsCache.getOrWait([app._getSession()], "write-only");
         return teams.map((json2) => app._teamFromJson(json2));
       },
       useTeams() {
-        const teams = useCache(app._currentUserTeamsCache, [app._getTokenStore()], "user.useTeams()");
+        const session = app._useSession();
+        const teams = useAsyncCache(app._currentUserTeamsCache, [session], "user.useTeams()");
         return useMemo(() => teams.map((json2) => app._teamFromJson(json2)), [teams]);
       },
       onTeamsChange(callback) {
-        return app._currentUserTeamsCache.onChange([app._getTokenStore()], (value, oldValue) => {
+        return app._currentUserTeamsCache.onChange([app._getSession()], (value, oldValue) => {
           callback(value.map((json2) => app._teamFromJson(json2)), oldValue?.map((json2) => app._teamFromJson(json2)));
         });
       },
       async listPermissions(scope, options) {
-        const permissions = await app._currentUserPermissionsCache.getOrWait([app._getTokenStore(), scope.id, "team", !!options?.direct], "write-only");
+        const permissions = await app._currentUserPermissionsCache.getOrWait([app._getSession(), scope.id, "team", !!options?.direct], "write-only");
         return permissions.map((json2) => app._permissionFromJson(json2));
       },
       usePermissions(scope, options) {
-        const permissions = useCache(app._currentUserPermissionsCache, [app._getTokenStore(), scope.id, "team", !!options?.direct], "user.usePermissions()");
+        const permissions = useAsyncCache(app._currentUserPermissionsCache, [app._getSession(), scope.id, "team", !!options?.direct], "user.usePermissions()");
         return useMemo(() => permissions.map((json2) => app._permissionFromJson(json2)), [permissions]);
       },
       usePermission(scope, permissionId) {
@@ -381,30 +471,36 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       displayName: json.displayName
     };
   }
-  _currentUserFromJson(json, tokenStore) {
+  _currentUserFromJson(json, session) {
     if (json === null)
       return null;
     const app = this;
     const currentUser = {
       ...this._userFromJson(json),
-      tokenStore,
-      async refreshAccessToken() {
-        await app._interface.refreshAccessToken(tokenStore);
+      _internalSession: session,
+      currentSession: {
+        async getTokens() {
+          const tokens = await session.getPotentiallyExpiredTokens();
+          return {
+            accessToken: tokens?.accessToken.token ?? null,
+            refreshToken: tokens?.refreshToken?.token ?? null
+          };
+        }
       },
       async updateSelectedTeam(team) {
-        await app._updateUser({ selectedTeamId: team?.id ?? null }, tokenStore);
+        await app._updateUser({ selectedTeamId: team?.id ?? null }, session);
       },
       update(update) {
-        return app._updateUser(update, tokenStore);
+        return app._updateUser(update, session);
       },
       signOut() {
-        return app._signOut(tokenStore);
+        return app._signOut(session);
       },
       sendVerificationEmail() {
-        return app._sendVerificationEmail(tokenStore);
+        return app._sendVerificationEmail(session);
       },
       updatePassword(options) {
-        return app._updatePassword(options, tokenStore);
+        return app._updatePassword(options, session);
       }
     };
     if (this._isInternalProject()) {
@@ -463,13 +559,12 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       }
     };
   }
-  _createAdminInterface(forProjectId, tokenStore) {
+  _createAdminInterface(forProjectId, session) {
     return new StackAdminInterface({
       baseUrl: this._interface.options.baseUrl,
       projectId: forProjectId,
       clientVersion,
-      projectOwnerTokens: tokenStore,
-      refreshProjectOwnerTokens: async () => await this._interface.refreshAccessToken(tokenStore)
+      projectOwnerSession: session
     });
   }
   get projectId() {
@@ -478,6 +573,18 @@ var _StackClientAppImpl = class __StackClientAppImpl {
   get urls() {
     return getUrls(this._urlOptions);
   }
+  async getCrossOriginHeaders() {
+    return {
+      "x-stack-auth": JSON.stringify(await this.getCrossOriginTokenObject())
+    };
+  }
+  async getCrossOriginTokenObject() {
+    const user = await this.getUser();
+    if (!user)
+      return { accessToken: null, refreshToken: null };
+    const tokens = await user.currentSession.getTokens();
+    return tokens;
+  }
   async _redirectTo(handlerName, options) {
     const url = this.urls[handlerName];
     if (!url) {
@@ -555,8 +662,8 @@ var _StackClientAppImpl = class __StackClientAppImpl {
   }
   async getUser(options) {
     this._ensurePersistentTokenStore(options?.tokenStore);
-    const tokenStore = this._getTokenStore(options?.tokenStore);
-    const userJson = await this._currentUserCache.getOrWait([tokenStore], "write-only");
+    const session = this._getSession(options?.tokenStore);
+    const userJson = await this._currentUserCache.getOrWait([session], "write-only");
     if (userJson === null) {
       switch (options?.or) {
         case "redirect": {
@@ -571,20 +678,18 @@ var _StackClientAppImpl = class __StackClientAppImpl {
         }
       }
     }
-    return this._currentUserFromJson(userJson, tokenStore);
+    return this._currentUserFromJson(userJson, session);
   }
   useUser(options) {
     this._ensurePersistentTokenStore(options?.tokenStore);
     const router = NextNavigation.useRouter();
-    const tokenStore = this._getTokenStore(options?.tokenStore);
-    const userJson = useCache(this._currentUserCache, [tokenStore], "useUser()");
+    const session = this._getSession(options?.tokenStore);
+    const userJson = useAsyncCache(this._currentUserCache, [session], "useUser()");
+    const triggerRedirectToSignIn = useTrigger(() => router.replace(this.urls.signIn));
     if (userJson === null) {
       switch (options?.or) {
         case "redirect": {
-          runAsynchronously(async () => {
-            await wait(0);
-            router.replace(this.urls.signIn);
-          });
+          triggerRedirectToSignIn();
           suspend();
           throw new StackAssertionError("suspend should never return");
         }
@@ -597,19 +702,19 @@ var _StackClientAppImpl = class __StackClientAppImpl {
       }
     }
     return useMemo(() => {
-      return this._currentUserFromJson(userJson, tokenStore);
-    }, [userJson, tokenStore, options?.or]);
+      return this._currentUserFromJson(userJson, session);
+    }, [userJson, session, options?.or]);
   }
   onUserChange(callback) {
     this._ensurePersistentTokenStore();
-    const tokenStore = this._getTokenStore();
-    return this._currentUserCache.onChange([tokenStore], (userJson) => {
-      callback(this._currentUserFromJson(userJson, tokenStore));
+    const session = this._getSession();
+    return this._currentUserCache.onChange([session], (userJson) => {
+      callback(this._currentUserFromJson(userJson, session));
     });
   }
-  async _updateUser(update, tokenStore) {
-    const res = await this._interface.setClientUserCustomizableData(update, tokenStore);
-    await this._refreshUser(tokenStore);
+  async _updateUser(update, session) {
+    const res = await this._interface.setClientUserCustomizableData(update, session);
+    await this._refreshUser(session);
     return res;
   }
   async signInWithOAuth(provider) {
@@ -618,35 +723,38 @@ var _StackClientAppImpl = class __StackClientAppImpl {
   }
   async signInWithCredential(options) {
     this._ensurePersistentTokenStore();
-    const tokenStore = this._getTokenStore();
-    const errorCode = await this._interface.signInWithCredential(options.email, options.password, tokenStore);
-    if (!errorCode) {
-      await this.redirectToAfterSignIn({ replace: true });
+    const session = this._getSession();
+    const result = await this._interface.signInWithCredential(options.email, options.password, session);
+    if (!(result instanceof KnownError)) {
+      await this._signInToAccountWithTokens(result);
+      return await this.redirectToAfterSignIn({ replace: true });
     }
-    return errorCode;
+    return result;
   }
   async signUpWithCredential(options) {
     this._ensurePersistentTokenStore();
-    const tokenStore = this._getTokenStore();
+    const session = this._getSession();
     const emailVerificationRedirectUrl = constructRedirectUrl(this.urls.emailVerification);
-    const errorCode = await this._interface.signUpWithCredential(
+    const result = await this._interface.signUpWithCredential(
       options.email,
       options.password,
       emailVerificationRedirectUrl,
-      tokenStore
+      session
     );
-    if (!errorCode) {
-      await this.redirectToAfterSignUp({ replace: true });
+    if (!(result instanceof KnownError)) {
+      await this._signInToAccountWithTokens(result);
+      return await this.redirectToAfterSignUp({ replace: true });
     }
-    return errorCode;
+    return result;
   }
   async signInWithMagicLink(code) {
     this._ensurePersistentTokenStore();
-    const tokenStore = this._getTokenStore();
-    const result = await this._interface.signInWithMagicLink(code, tokenStore);
+    const session = this._getSession();
+    const result = await this._interface.signInWithMagicLink(code, session);
     if (result instanceof KnownError) {
       return result;
     }
+    await this._signInToAccountWithTokens(result);
     if (result.newUser) {
       await this.redirectToAfterSignUp({ replace: true });
     } else {
@@ -655,9 +763,9 @@ var _StackClientAppImpl = class __StackClientAppImpl {
   }
   async callOAuthCallback() {
     this._ensurePersistentTokenStore();
-    const tokenStore = this._getTokenStore();
-    const result = await callOAuthCallback(this._interface, tokenStore, this.urls.oauthCallback);
+    const result = await callOAuthCallback(this._interface, this.urls.oauthCallback);
     if (result) {
+      await this._signInToAccountWithTokens(result);
       if (result.newUser) {
         await this.redirectToAfterSignUp({ replace: true });
         return true;
@@ -668,16 +776,16 @@ var _StackClientAppImpl = class __StackClientAppImpl {
     }
     return false;
   }
-  async _signOut(tokenStore) {
-    await this._interface.signOut(tokenStore);
+  async _signOut(session) {
+    await this._interface.signOut(session);
     await this.redirectToAfterSignOut();
   }
-  async _sendVerificationEmail(tokenStore) {
+  async _sendVerificationEmail(session) {
     const emailVerificationRedirectUrl = constructRedirectUrl(this.urls.emailVerification);
-    return await this._interface.sendVerificationEmail(emailVerificationRedirectUrl, tokenStore);
+    return await this._interface.sendVerificationEmail(emailVerificationRedirectUrl, session);
   }
-  async _updatePassword(options, tokenStore) {
-    return await this._interface.updatePassword(options, tokenStore);
+  async _updatePassword(options, session) {
+    return await this._interface.updatePassword(options, session);
   }
   async signOut() {
     const user = await this.getUser();
@@ -689,64 +797,64 @@ var _StackClientAppImpl = class __StackClientAppImpl {
     return await this._currentProjectCache.getOrWait([], "write-only");
   }
   useProject() {
-    return useCache(this._currentProjectCache, [], "useProject()");
+    return useAsyncCache(this._currentProjectCache, [], "useProject()");
   }
   onProjectChange(callback) {
     return this._currentProjectCache.onChange([], callback);
   }
   async _listOwnedProjects() {
     this._ensureInternalProject();
-    const tokenStore = this._getTokenStore();
-    const json = await this._ownedProjectsCache.getOrWait([tokenStore], "write-only");
+    const session = this._getSession();
+    const json = await this._ownedProjectsCache.getOrWait([session], "write-only");
     return json.map((j) => this._projectAdminFromJson(
       j,
-      this._createAdminInterface(j.id, tokenStore),
-      () => this._refreshOwnedProjects(tokenStore)
+      this._createAdminInterface(j.id, session),
+      () => this._refreshOwnedProjects(session)
     ));
   }
   _useOwnedProjects() {
     this._ensureInternalProject();
-    const tokenStore = this._getTokenStore();
-    const json = useCache(this._ownedProjectsCache, [tokenStore], "useOwnedProjects()");
+    const session = this._getSession();
+    const json = useAsyncCache(this._ownedProjectsCache, [session], "useOwnedProjects()");
     return useMemo(() => json.map((j) => this._projectAdminFromJson(
       j,
-      this._createAdminInterface(j.id, tokenStore),
-      () => this._refreshOwnedProjects(tokenStore)
+      this._createAdminInterface(j.id, session),
+      () => this._refreshOwnedProjects(session)
     )), [json]);
   }
   _onOwnedProjectsChange(callback) {
     this._ensureInternalProject();
-    const tokenStore = this._getTokenStore();
-    return this._ownedProjectsCache.onChange([tokenStore], (projects) => {
+    const session = this._getSession();
+    return this._ownedProjectsCache.onChange([session], (projects) => {
       callback(projects.map((j) => this._projectAdminFromJson(
         j,
-        this._createAdminInterface(j.id, tokenStore),
-        () => this._refreshOwnedProjects(tokenStore)
+        this._createAdminInterface(j.id, session),
+        () => this._refreshOwnedProjects(session)
       )));
     });
   }
   async _createProject(newProject) {
     this._ensureInternalProject();
-    const tokenStore = this._getTokenStore();
-    const json = await this._interface.createProject(newProject, tokenStore);
+    const session = this._getSession();
+    const json = await this._interface.createProject(newProject, session);
     const res = this._projectAdminFromJson(
       json,
-      this._createAdminInterface(json.id, tokenStore),
-      () => this._refreshOwnedProjects(tokenStore)
+      this._createAdminInterface(json.id, session),
+      () => this._refreshOwnedProjects(session)
     );
-    await this._refreshOwnedProjects(tokenStore);
+    await this._refreshOwnedProjects(session);
     return res;
   }
-  async _refreshUser(tokenStore) {
-    await this._currentUserCache.refresh([tokenStore]);
+  async _refreshUser(session) {
+    await this._currentUserCache.refresh([session]);
   }
   async _refreshUsers() {
   }
   async _refreshProject() {
     await this._currentProjectCache.refresh([]);
   }
-  async _refreshOwnedProjects(tokenStore) {
-    await this._ownedProjectsCache.refresh([tokenStore]);
+  async _refreshOwnedProjects(session) {
+    await this._ownedProjectsCache.refresh([session]);
   }
   static get [stackAppInternalsSymbol]() {
     return {
@@ -785,15 +893,15 @@ var _StackClientAppImpl = class __StackClientAppImpl {
         };
       },
       setCurrentUser: (userJsonPromise) => {
-        runAsynchronously(this._currentUserCache.forceSetCachedValueAsync([this._getTokenStore()], userJsonPromise));
+        runAsynchronously(this._currentUserCache.forceSetCachedValueAsync([this._getSession()], userJsonPromise));
       }
     };
   }
 };
 var _StackServerAppImpl = class extends _StackClientAppImpl {
   // TODO override the client user cache to use the server user cache, so we save some requests
-  _currentServerUserCache = createCacheByTokenStore(async (tokenStore) => {
-    const user = await this._interface.getServerUserByToken(tokenStore);
+  _currentServerUserCache = createCacheBySession(async (session) => {
+    const user = await this._interface.getServerUserByToken(session);
     return Result.or(user, null);
   });
   _serverUsersCache = createCache(async () => {
@@ -884,15 +992,15 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
         });
       },
       async listTeams() {
-        const teams = await app._serverTeamsCache.getOrWait([app._getTokenStore()], "write-only");
+        const teams = await app._serverTeamsCache.getOrWait([app._getSession()], "write-only");
         return teams.map((json2) => app._serverTeamFromJson(json2));
       },
       useTeams() {
-        const teams = useCache(app._serverTeamsCache, [app._getTokenStore()], "user.useTeams()");
+        const teams = useAsyncCache(app._serverTeamsCache, [app._getSession()], "user.useTeams()");
         return useMemo(() => teams.map((json2) => app._serverTeamFromJson(json2)), [teams]);
       },
       onTeamsChange(callback) {
-        return app._serverTeamsCache.onChange([app._getTokenStore()], (value, oldValue) => {
+        return app._serverTeamsCache.onChange([app._getSession()], (value, oldValue) => {
           callback(value.map((json2) => app._serverTeamFromJson(json2)), oldValue?.map((json2) => app._serverTeamFromJson(json2)));
         });
       },
@@ -901,7 +1009,7 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
         return permissions.map((json2) => app._serverPermissionFromJson(json2));
       },
       usePermissions(scope, options) {
-        const permissions = useCache(app._serverTeamUserPermissionsCache, [scope.id, json.id, "team", !!options?.direct], "user.usePermissions()");
+        const permissions = useAsyncCache(app._serverTeamUserPermissionsCache, [scope.id, json.id, "team", !!options?.direct], "user.usePermissions()");
         return useMemo(() => permissions.map((json2) => app._serverPermissionFromJson(json2)), [permissions]);
       },
       usePermission(scope, permissionId) {
@@ -921,20 +1029,26 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
       }
     };
   }
-  _currentServerUserFromJson(json, tokenStore) {
+  _currentServerUserFromJson(json, session) {
     if (json === null)
       return null;
     const app = this;
     const nonCurrentServerUser = this._serverUserFromJson(json);
     const currentUser = {
       ...nonCurrentServerUser,
-      tokenStore,
-      async refreshAccessToken() {
-        await app._interface.refreshAccessToken(tokenStore);
+      _internalSession: session,
+      currentSession: {
+        async getTokens() {
+          const tokens = await session.getPotentiallyExpiredTokens();
+          return {
+            accessToken: tokens?.accessToken.token ?? null,
+            refreshToken: tokens?.refreshToken?.token ?? null
+          };
+        }
       },
       async delete() {
         const res = await nonCurrentServerUser.delete();
-        await app._refreshUser(tokenStore);
+        await app._refreshUser(session);
         return res;
       },
       async updateSelectedTeam(team) {
@@ -942,20 +1056,20 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
       },
       async update(update) {
         const res = await nonCurrentServerUser.update(update);
-        await app._refreshUser(tokenStore);
+        await app._refreshUser(session);
         return res;
       },
       signOut() {
-        return app._signOut(tokenStore);
+        return app._signOut(session);
       },
       getClientUser() {
-        return app._currentUserFromJson(json, tokenStore);
+        return app._currentUserFromJson(json, session);
       },
       sendVerificationEmail() {
-        return app._sendVerificationEmail(tokenStore);
+        return app._sendVerificationEmail(session);
       },
       updatePassword(options) {
-        return app._updatePassword(options, tokenStore);
+        return app._updatePassword(options, session);
       }
     };
     if (this._isInternalProject()) {
@@ -1013,7 +1127,7 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
         await app._serverTeamsCache.refresh([]);
       },
       useMembers() {
-        const result = useCache(app._serverTeamMembersCache, [json.id], "team.useUsers()");
+        const result = useAsyncCache(app._serverTeamMembersCache, [json.id], "team.useUsers()");
         return useMemo(() => result.map((u) => app._serverTeamMemberFromJson(u)), [result]);
       },
       async addUser(userId) {
@@ -1037,9 +1151,9 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
   }
   async getServerUser() {
     this._ensurePersistentTokenStore();
-    const tokenStore = this._getTokenStore();
-    const userJson = await this._currentServerUserCache.getOrWait([tokenStore], "write-only");
-    return this._currentServerUserFromJson(userJson, tokenStore);
+    const session = this._getSession();
+    const userJson = await this._currentServerUserCache.getOrWait([session], "write-only");
+    return this._currentServerUserFromJson(userJson, session);
   }
   async getServerUserById(userId) {
     const json = await this._serverUserCache.getOrWait([userId], "write-only");
@@ -1047,20 +1161,20 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
   }
   useServerUser(options) {
     this._ensurePersistentTokenStore();
-    const tokenStore = this._getTokenStore();
-    const userJson = useCache(this._currentServerUserCache, [tokenStore], "useServerUser()");
+    const session = this._getSession();
+    const userJson = useAsyncCache(this._currentServerUserCache, [session], "useServerUser()");
     return useMemo(() => {
       if (options?.required && userJson === null) {
         use(this.redirectToSignIn());
       }
-      return this._currentServerUserFromJson(userJson, tokenStore);
-    }, [userJson, tokenStore, options?.required]);
+      return this._currentServerUserFromJson(userJson, session);
+    }, [userJson, session, options?.required]);
   }
   onServerUserChange(callback) {
     this._ensurePersistentTokenStore();
-    const tokenStore = this._getTokenStore();
-    return this._currentServerUserCache.onChange([tokenStore], (userJson) => {
-      callback(this._currentServerUserFromJson(userJson, tokenStore));
+    const session = this._getSession();
+    return this._currentServerUserCache.onChange([session], (userJson) => {
+      callback(this._currentServerUserFromJson(userJson, session));
     });
   }
   async listServerUsers() {
@@ -1068,7 +1182,7 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
     return json.map((j) => this._serverUserFromJson(j));
   }
   useServerUsers() {
-    const json = useCache(this._serverUsersCache, [], "useServerUsers()");
+    const json = useAsyncCache(this._serverUsersCache, [], "useServerUsers()");
     return useMemo(() => {
       return json.map((j) => this._serverUserFromJson(j));
     }, [json]);
@@ -1082,7 +1196,7 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
     return await this._serverTeamPermissionDefinitionsCache.getOrWait([], "write-only");
   }
   usePermissionDefinitions() {
-    return useCache(this._serverTeamPermissionDefinitionsCache, [], "usePermissions()");
+    return useAsyncCache(this._serverTeamPermissionDefinitionsCache, [], "usePermissions()");
   }
   _serverPermissionFromJson(json) {
     return {
@@ -1093,7 +1207,7 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
     };
   }
   async createPermissionDefinition(data) {
-    const permission = await this._serverPermissionFromJson(await this._interface.createPermissionDefinition(data));
+    const permission = this._serverPermissionFromJson(await this._interface.createPermissionDefinition(data));
     await this._serverTeamPermissionDefinitionsCache.refresh([]);
     return permission;
   }
@@ -1115,7 +1229,7 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
     return this._serverTeamFromJson(team);
   }
   useTeams() {
-    const teams = useCache(this._serverTeamsCache, [], "useServerTeams()");
+    const teams = useAsyncCache(this._serverTeamsCache, [], "useServerTeams()");
     return useMemo(() => {
       return teams.map((t) => this._serverTeamFromJson(t));
     }, [teams]);
@@ -1130,10 +1244,10 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
       return teams.find((t) => t.id === teamId) ?? null;
     }, [teams, teamId]);
   }
-  async _refreshUser(tokenStore) {
+  async _refreshUser(session) {
     await Promise.all([
-      super._refreshUser(tokenStore),
-      this._currentServerUserCache.refresh([tokenStore])
+      super._refreshUser(session),
+      this._currentServerUserCache.refresh([session])
     ]);
   }
   async _refreshUsers() {
@@ -1143,7 +1257,7 @@ var _StackServerAppImpl = class extends _StackClientAppImpl {
     ]);
   }
   useEmailTemplates() {
-    return useCache(this._serverEmailTemplatesCache, [], "useEmailTemplates()");
+    return useAsyncCache(this._serverEmailTemplatesCache, [], "useEmailTemplates()");
   }
   async listEmailTemplates() {
     return await this._serverEmailTemplatesCache.getOrWait([], "write-only");
@@ -1170,9 +1284,8 @@ var _StackAdminAppImpl = class extends _StackServerAppImpl {
         baseUrl: options.baseUrl ?? getDefaultBaseUrl(),
         projectId: options.projectId ?? getDefaultProjectId(),
         clientVersion,
-        ..."projectOwnerTokens" in options ? {
-          projectOwnerTokens: options.projectOwnerTokens,
-          refreshProjectOwnerTokens: options.refreshProjectOwnerTokens
+        ..."projectOwnerSession" in options ? {
+          projectOwnerSession: options.projectOwnerSession
         } : {
           publishableClientKey: options.publishableClientKey ?? getDefaultPublishableClientKey(),
           secretServerKey: options.secretServerKey ?? getDefaultSecretServerKey(),
@@ -1232,7 +1345,7 @@ var _StackAdminAppImpl = class extends _StackServerAppImpl {
     );
   }
   useProjectAdmin() {
-    const json = useCache(this._adminProjectCache, [], "useProjectAdmin()");
+    const json = useAsyncCache(this._adminProjectCache, [], "useProjectAdmin()");
     return useMemo(() => this._projectAdminFromJson(
       json,
       this._interface,
@@ -1253,7 +1366,7 @@ var _StackAdminAppImpl = class extends _StackServerAppImpl {
     return json.map((j) => this._createApiKeySetFromJson(j));
   }
   useApiKeySets() {
-    const json = useCache(this._apiKeySetsCache, [], "useApiKeySets()");
+    const json = useAsyncCache(this._apiKeySetsCache, [], "useApiKeySets()");
     return useMemo(() => {
       return json.map((j) => this._createApiKeySetFromJson(j));
     }, [json]);